transition from init_rc
by Tracy Reed
I think I'm really close to having this policy finished and working, just a
couple things to work out...
When I exercise my app and then run audit2allow and it says:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow myapp_t default_t:dir search;
allow myapp_t default_t:dir read;
allow myapp_t default_t:file execmod;
allow myapp_t myapp_bin_t:file write;
does it mean only the first line is an constraint violation? Or are all of
those constraint violations?
How does one typically deal with constraint violations? By attribute above I
suppose it means a type attribue but how do I know which one to add?
Then I have these:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t default_t:file relabelto;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow initrc_t myapp_api_t:file relabelto;
The init script which starts the service relabels the files when the service
starts. I suspect this is a bad idea and I'm not sure why they are doing it. I
think they may be applying security categories here. We may have to find a
different way to approach that.
But how would I allow this if I wanted to?
Similarly:
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setfiles_t default_t:file relabelfrom;
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setfiles_t myapp_api_t:file relabelfrom;
etc...
This is all on CentOS 6.5.
Thanks!
--
Tracy Reed
7 years, 12 months
deny_execmem Rhel7
by Tim.Einmahl@kba.de
Hi,
in Rhel6 there was a SElinux-type called java_exec_t, so it was possible to use allow_execmem set to off but to run java without problems if it was labeled correctly.
In Rhel7 the type java_exec_t seems to have gone so setting deny_execmem leads to problems running java. But I don't want to set deny_execmem globally.
Any idea how to achieve that?
Regards
Tim
8 years, 5 months
'su' in a Docker container -> AVC
by Laurent Rineau
I have a container whose entrypoint uses 'su' to drop its privileges. The run of the container triggers an AVC, but the container seems to run normally.
That is on a server, and the SELinux Troubleshooter sends me emails (see the attachment).
Two questions:
1/ Is there a way to report bugs to Bugzilla using the command line sealert tool (or another command line tool), like what we can do using the GUI?
2/ What should I do to fix that issue, if that is one?
I copy-paste here the AVC (the attached email have more information):
type=AVC msg=audit(1434542552.136:6332403): avc: denied { search } for pid=11266 comm="su" scontext=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=key
type=SYSCALL msg=audit(1434542552.136:6332403): arch=x86_64 syscall=keyctl success=no exit=EACCES a0=0 a1=fffffffd a2=0 a3=7f7c50a132f0 items=0 ppid=11065 pid=11266 auid=4294967295 uid=500 gid=501 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=su exe=/usr/bin/su subj=system_u:system_r:svirt_lxc_net_t:s0:c68,c965 key=(null)
--
Laurent Rineau
http://fedoraproject.org/wiki/LaurentRineau
8 years, 5 months
New issue with Fedora 22
by David Highley
semodule -i *.pp
libsepol.permission_copy_callback: Module my_logrotate depends on
permission kill in class service, not satisfied (No such file or
directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
If we try semodule -r my_logrotate it fails to remove with the same
complaint about my_fail2ban which is the one we were trying to reinstall
as it seems to not be functioning as we see the following avc which we
allow in the policy. This is on a system we did a fedup from Fedora 21.
time->Mon Jun 15 01:10:47 2015
type=AVC msg=audit(1434355847.063:29227): avc: denied { net_admin }
for pid=12476 comm="firewall-cmd" capability=12
scontext=system_u:system_r:fail2ban_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability permissive=0
8 years, 5 months
Re: SELinux: Interface Labeling Problem
by Maurizio Pagani
ok, imattached also the community on this thread.
Please someone can help me?
Thanksa
Il giovedì 11 giugno 2015, Paul Moore <paul(a)paul-moore.com> ha scritto:
> On Thu, Jun 11, 2015 at 4:22 PM, Maurizio Pagani <pag.maurizio(a)gmail.com
> <javascript:;>> wrote:
> > Any idea??? Please is important.
>
> As Stephen already mentioned, please repost your question to the
> mailing list so that others can benefit.
>
> > Il giovedì 11 giugno 2015, Gmail <pag.maurizio(a)gmail.com <javascript:;>>
> ha scritto:
> >>
> >> Hi Stephen,
> >>
> >> ok, but with peer labeling i saw that is not possible block a specific
> >> domain to use an interface labeled with netif_hostonly_t, right? If
> not, how
> >> can i block a specific domain, to use my network interface?
> >>
> >> However the next questions, i'll write to distribution list
> >>
> >> Thanks in advance,
> >>
> >>
> >>
> >>
> >> Maurizio Pagani
> >> Systems and Security Specialist
> >>
> >>
> >> Kay Systems Italia
> >> www.ksi.it
> >> Viale Libano , 80 - 00144 Roma
> >> fax: +39 06 542799-60
> >> mobile: +39 335 1382689
> >> e-mail: maurizio.pagani(a)ksi.it <javascript:;>
> >>
> >> -----Messaggio originale-----
> >> Da: Stephen Smalley [mailto:sds@tycho.nsa.gov <javascript:;>]
> >> Inviato: giovedì 11 giugno 2015 14:49
> >> A: Gmail; paul(a)paul-moore.com <javascript:;>; james.l.morris(a)oracle.com
> <javascript:;>; 'Daniel J
> >> Walsh'; 'Dominick Grift'; 'Sven Vermeulen'; eparis(a)parisplace.org
> <javascript:;>
> >> Oggetto: Re: SELinux: Interface Labeling Problem
> >>
> >> Is there a reason you didn't post this to selinux list
> >> (selinux(a)tycho.nsa.gov <javascript:;>, subscribe via
> selinux-join(a)tycho.nsa.gov <javascript:;>)?
> >> We prefer questions to go to the list so that they are archived for
> others
> >> and anyone in the community can respond to them.
> >>
> >> In any event, SELinux network permission checks have changed over time.
> >> The netif { tcp_recv tcp_send udp_recv udp_send } checks were legacy
> >> network checks that were removed in Linux 2.6.30. netif { ingress
> egress }
> >> are newer checks that are only enabled if you have configured peer
> labeling
> >> via NetLabel or labeled IPSEC/xfrm.
> >>
> >> On 06/11/2015 06:27 AM, Gmail wrote:
> >> > Hi everybody
> >> >
> >> >
> >> >
> >> > I’m Maurizio Pagani (LordFire in #SELinux IRC freenode).
> >> >
> >> > I write to you, because i’m implementing a SELinux solution with
> >> > particular attention about Network Labeling.
> >> >
> >> > I’m doing this trough some blog(Paul Moore in particular, Walsh and
> >> > other) and books (Sven Vermeulen), but now i’m blocked in a little
> >> > problem that cannot permit me to go on.
> >> >
> >> >
> >> >
> >> > The subject is : *“Interface Labeling”.*
> >> >
> >> >
> >> >
> >> > In few words i created a very simple policy called
> >> > *“netif_hostonly_t”* the .te is this:
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > policy_module(netif_hostonly, 1.0.0)
> >> >
> >> >
> >> >
> >> > require {
> >> >
> >> > type unconfined_t;
> >> >
> >> > class netif { tcp_recv tcp_send udp_recv udp_send ingress
> >> > egress } ;
> >> >
> >> > }
> >> >
> >> >
> >> >
> >> > #I declare my type
> >> >
> >> > type netif_hostonly_t;
> >> >
> >> >
> >> >
> >> > allow unconfined_t netif_hostonly_t : netif { tcp_recv tcp_send
> >> > udp_recv udp_send ingress egress } ;
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > *Next Step:*
> >> >
> >> >
> >> >
> >> > semanage interface -a -t netif_hostonly_t eno50332208
> >> >
> >> >
> >> >
> >> > I checked that is labeled correctly
> >> >
> >> >
> >> >
> >> > But i don’t see any avc denied messages, this is the problem, i though
> >> > that as always, SELinux block everything and after trough RAW SELinux
> >> > language (allow/dontaudit/auditallow/neverallow), we can open specific
> >> > communications, but instead i don’t see anything.
> >> >
> >> > I’m wron something? It is not very clear on the web, or in the other
> >> > blogs / books, because maybe i need of a SECMARK rule? But is not
> >> > specific as a requirement, because also “port labeling” is used
> >> > without set SECMARK rule.
> >> >
> >> >
> >> >
> >> > Please i’m blocked with my customer project, for this (i think) stupid
> >> > problem, maybe you know surely the solution, and can share with me.
> >> >
> >> >
> >> >
> >> > Thanks in advace,
> >> >
> >> >
> >> >
> >> > Maurizio Pagani
> >> >
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------
> >> > Avast logo <https://www.avast.com/antivirus>
> >> >
> >> > Questa e-mail è stata controllata per individuare virus con Avast
> >> > antivirus.
> >> > www.avast.com <https://www.avast.com/antivirus>
> >> >
> >> >
> >>
> >>
> >>
> >> ---
> >> Questa e-mail è stata controllata per individuare virus con Avast
> >> antivirus.
> >> https://www.avast.com/antivirus
> >>
> >
>
>
>
> --
> paul moore
> www.paul-moore.com
>
8 years, 5 months
Policy not taking effect
by Marko Rauhamaa
To learn about selinux, I am trying to create a policy that would assign
the file /etc/xyz the type tuned_log_t.
I have:
===begin xyz.te=========================================================
policy_module(xyz, 1.0.0)
===end xyz.te===========================================================
===begin xyz.fc=========================================================
/etc/xyz -- gen_context(system_u:object_r:tuned_log_t,s0)
===end xyz.fc===========================================================
Then I execute:
# rm -f /etc/xyz
# make -f /usr/share/selinux/devel/Makefile xyz.pp
Compiling targeted xyz module
/usr/bin/checkmodule: loading policy configuration from tmp/xyz.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 17) to
tmp/xyz.mod
Creating targeted xyz.pp policy package
rm tmp/xyz.mod.fc tmp/xyz.mod
# semodule -i xyz.pp
# touch /etc/xyz
# ls -Z /etc/xyz
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/xyz
# restorecon /etc/xyz
# ls -Z /etc/xyz
-rw-r--r--. root root unconfined_u:object_r:tuned_log_t:s0 /etc/xyz
Why is /etc/xyz not getting the correct type immediately as the policy
would dictate?
Marko
8 years, 5 months
secure_mode_policyload troubles
by George Karakougioumtzis
After an upgrade to fedora 22 i was able to solve all the problems i had
with systemd-logind not being able to register user sessions and
everything except polkit was working flawlessly in enforcing mode(well
since polkit is responsible for shutting down the system from the
gnome-shell and i cant do that you cant say its a flawless desktop
experience but ok it solved many other problems). Now after i turned on
secure-mode_policyload boolean i am at the same state. Pulseaudio is not
working, loginctl shows no user sessions with a message of start user
slice failed and polkit doesn't work for any of my users.
Audit subsystem doesn't reveal anything useful. Even if i turn of the
boolean i stiil have these problems. Where to go from here?
8 years, 6 months
Adding new type
by Marko Rauhamaa
<URL: https://fedoraproject.org/wiki/Security_context?rd=SELi
nux/SecurityContext> :
The 3rd component of the security context is the Type component, for
example /usr/sbin/httpd is labeled with a type of “httpd_exec_t".
In my opinion this is the most important field in the SELinux
security context. This is the heart of SELinux Type Enforcement. Most
of the policy rules in SELinux revolve around what subject types have
what access to which object types. By convention this component
always ends in a "_t".
I am a developer creating a new type of service. Let's call it "abcd."
Am I expected to have my RPM package create a new type "abcd_exec_t"?
What document describes the proper steps to introduce the type to the
system?
Marko
8 years, 6 months
Re: CentOS 7 selinux policy bug [SOLVED]
by mark
Dan,
On 06/01/15 16:27, m.roth(a)5-cent.us wrote:
> From: "Daniel J Walsh" <dwalsh(a)redhat.com>
> Cc: "Miroslav Grepl" <mgrepl(a)redhat.com>
> On 05/29/2015 04:34 PM, m.roth(a)5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 05/29/2015 01:03 PM, m.roth(a)5-cent.us wrote:
>>>> Daniel J Walsh wrote:
>>>>> On 05/29/2015 09:20 AM, m.roth(a)5-cent.us wrote:
>>>>>> CentOS 7.1. Selinux policy, and targetted, updated two days ago.
>>>>>>
>>>>>> May 28 17:02:41 <servername> python: SELinux is preventing
>>>>>> /usr/bin/bash from execute access on the file
/usr/bin/bash.#012#012***** <...>
<snip>
>>
> I just pushed this to fedora upstream policy
>
> commit 035cecfb52aff40a60b0bb7651aadc284e0dffb7
> Author: Dan Walsh <dwalsh(a)redhat.com>
> Date: Mon Jun 1 08:59:29 2015 -0400
>
> rsync server can be setup to send mail
>
> You can add the rules locally by compiling and installing this policy
> create myrsync.te to look like the following
> # =========================================
> policy_module(myrsync, 1.0)
>
> gen_require(`
> type rsync_t;
> ')
> mta_send_mail(rsync_t)
> # ==========================================
>
> Then execute
>
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i myrsync.pp
<snip>
I installed selinux-policy-devel, it built and I installed it, and it
appears to fix my problem.
Thanks again, Dan.
mark
8 years, 6 months